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Abstract 

This paper describes the security weaknesses of a recently proposed secure commu- 
nication method based on chaotic masking using projective synchronization of two 
chaotic systems. We show that the system is insecure and how to break it in two 
different ways, by high-pass filtering and by generalized synchronization. 



1 Introduction 



In recent years, a considerable effort has been devoted to extend the chaotic 
communication applications to the field of secure communications. The pos- 
sibility of synchronization of two coupled chaotic systems was first shown by 
Pecora and Carrol [1,2,3] and opened the possibility of using the signals gen- 
erated by chaotic systems as carriers for analog and digital communications. 
This discovery soon aroused great interest as a potential means for secure 
communications [4]. Accordingly, a great number of cryptosystems based on 
chaos have been proposed [5,6,7,8,9], some of them fundamentally flawed by 
a lack of robustness and security [10,11,12,13,14,15,16]. 

Projective synchronization (PS) is an interesting phenomena firstly described 
by Mainieri and Rehacek [17], it consists in the synchronization of two par- 
tially linear coupled chaotic systems, master and slave, in which the amplitude 
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of the slave system is a scalar multiple, called scaling factor, of that of the 
master system in the phase space. The original study was restricted to three- 
dimensional partially linear systems. Later Xu and Li [18] showed that PS 
could be extended to general classes of chaotic systems without partial linear- 
ity, by means of the feedback control of the slave system; they illustrated the 
applicability to Lorenz, Chua and the hyperchaotic Rossler systems. 

In a recent paper Li and Xu [19] proposed a secure communication scheme 
based on PS chaotic masking. The authors claimed that the unpredictabil- 
ity of the scaling factor of the PS can additionally enhance the security of 
communications. Furthermore, the authors proposed the use of an invert- 
ible function F, in such a way that the transmitted ciphertext signal will 
be U(t) = Xi + F[xi,yi, Zi,m{t)], where Xi,yi and Zi are the variables of a 
three-dimensional chaotic system and m{t) is the plaintext (which in their 
paper is assumed to be a sound signal). They claimed that the security of the 
information can also be guaranteed because the function F could be arbitrar- 
ily chosen. They illustrated the feasibility of the scheme with two examples, 
based on the Lorenz and the hyperchaotic Rossler systems, respecitvely. 

In this article we show that the proposed cryptosystem is insecure and how 
to break it in two different ways, by high-pass filtering and by generalized 
synchronization, for both examples based on the Lorenz and the hyperchaotic 
Rossler systems. 

In [19], the first example is based on the following Lorenz system: 

xi = a{yi-xi), (1) 
yi = ifJ' - z)xi - yi, (2) 
zi = xiyi-pzi. (3) 

with parameter values {a,fi,p} = {10,60,8/3}. The transmitted signals from 
the sender to the receiver end are the shared scalar variable zi and the ci- 
phertext U{t) = xi + F[xi, yi, zi,m{t)], where the function F was specified as 
F[xi, yi, zi,m{t)] = yi + m(t). 

The second example is based on the hyperchaotic Rossler system defined by 
the authors as: 



xi = -yi-zi, (4) 

yi = xi + ayi + wi, (5) 

zi = h + xizi, (6) 

Wi = czi + dwi. (7) 



with parameter values {a,b,c,d} = {0.25,3,-0.5,0.05}. In this example, the 
transmitted signals from the sender to the receiver end are the shared scalar 
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variable wi and the ciphertext U(t) = xi + F[xi, yi, zi, wi, m(t)], where F was 
specified as F[xi,yi, zi, wi, m(t)] = yi + m{t). 



2 Loose system key specification 

Although the authors seem to base the security of its communication system 
on the chaotic behavior of the output of a chaotic or hyperchaotic non-linear 
system, no analysis of security was included. Instead, an unproved assertion 
saying that "the security of information can be guaranteed" was given in the 
conclusion. 

The first issue to be considered is the key of the system. A cryptosystem cannot 
exist without a key, otherwise, it might be considered as a coding system, but 
never regarded as a secure system. In [19] it is not considered whether there 
should be a key in the proposed system, what it should consist of, what the 
available key space would be, and how it would be managed. 

When cryptanalyzing a cryptosystem, the general assumption made is that the 
cryptanalyst knows exactly the design and working of the cryptosystem under 
study, i.e., he knows every detail about the ciphering algorithm, except the 
secret key. This is an evident requirement in today's secure communications 
systems, usually referred to as Kerchoff's principle [20]. 

In [19] it was stated that the arbitrary selection of the function F will warrant 
the information security. But according to the Kerchoff's principle, the func- 
tion F must be publicly known and may not be considered part of the key. 
At most, its structure could contain some factors or constants whose values 
can play the role of secret key; but, unfortunately, the authors of [19] have not 
considered such possibility, nor which conditions the function F might satisfy, 
nor how many usable functions there are, nor how much they can contribute to 
the system security. Much care must be exercised when selecting the function 
F. Otherwise, choosing different functions might create different ciphertexts, 
that can be decrypted using the same algorithm though, as shown in Sec. 4. 



3 Inefficiency as a masking system 

It is supposed that chaotic masking is an adequate means for secure transmis- 
sion, because chaotic systems present some properties as sensitive dependence 
on parameters and initial conditions, ergodicity, mixing, and dense periodic 
points. These properties make them similar to pseudorandom noise [21], which 
has been used traditionally as a masking signal for cryptographic purposes. 
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(a) Ciphertext logaritmic power spectral density 



(b) Retrieved plantext by higli-pass filtering 



DC 



J3 

•o 



0) 

g 

o 

Q. 



0) 
> 




140 



0.4 







10 



20 

Frequency (Hz) 



30 



40 







0.2 



0.4 0.6 
Time (sec) 



0.8 



Fig. 1. Encrypted transmission of a plaintext of amplitude 0.2 and frequency 16.352 
Hz, by masking with the Lorenz system described in [19]: (a) logarithmic power 
spectrum of the ciphertext; (b) retrieved plaintext by high-pass filtering of the 
ciphertext. 

A fundamental requirement of the pseudorandom noise used in cryptography 
is that its spectrum should be infinitely broad, flat and of much higher power 
density than the signal to be concealed. In other words, the plaintext power 
spectrum should be effectively buried into the pseudorandom noise power spec- 
trum. The cryptosystem proposed in [19] does not satisfy this condition. On 
the contrary, the spectrum of the signal generated by the Lorenz oscillator is 
of narrow band, decaying very fast with increasing frequency, showing a power 
density much lower than the plaintext at plaintext frequencies. 

In [19] the sound of a water flow was used as the plaintext message m{t), but 
no details are given about its waveform or power spectrum. From [19, Fig. 2] 
it can be appreciated that its amplitude is roughly 0.2. In our simulation we 
have used, instead, a well deflned plaintext signal m{t) = sin(2 vr 16.352 1), 
which corresponds to a pure tone sound of 16.352 Hz, which is the lowest note 
generated by a musical instrument, the Co of a 32 ft pipe of a pipe-organ 
[22,23] and with the same peak amplitude of [19, Fig. 2], namely 0.2. 

Figures 1(a) and 2(a) illustrate the logarithmic power spectra of the ciphertext 
when the Lorenz attractor and the hyperchaotic Rossler attractor are used as 
the chaotic system, respectively, with the same parameter values previously 
described. 

It can be seen that in both examples the plaintext signal clearly emerges at 
16.352 Hz over the background noise created by the Lorenz and hyperchaotic 
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Fig. 2. Encrypted transmission of a plaintext of amplitude 0.2 and frequency 16.352 
Hz, by masking with the hyperchaotic Rossler system described in [19]: (a) logarith- 
mic power spectrum of the ciphertext; (b) retrieved plaintext by high-pass filtering 
of the ciphertext. 

Rossler oscillators, with a power of —40 db and —50 db, respectively, relative 
to the maximum power of the ciphertext spectrum, while the power density of 
the ciphertext, at neighboring frequencies, falls below —80 db and —125 db, 
respectively. 

To recover the plaintext we did not use a chaotic receiver, instead the cipher- 
text was high-pass filtered. The procedure is illustrated in Fig. 1(b) and 2(b). 
The filter employed was a finite impulse response one. To avoid phase non- 
linearities and distortion, it was constructed with a 512-coefficient Hamming 
window, with a cutoff frequency of 13 Hz. The result is a good estimation of 
the plaintext after a short initial transient of approximately 0.3 seconds for the 
Lorenz system. Note that this is the hardest case an attacker can face from 
the point of view of plaintext frequency, because for higher sound frequen- 
cies the spectrum of the background noise created by the Lorenz oscillator is 
even lower. While for the hyperchaotic Rossler system the result is a perfect 
recovery after a short initial transient of approximately 0.1 seconds. 



4 Generalized synchronization attack 



The former attack method works only for plaintext frequencies higher than the 
13 Hz cut-off frequency of the high-pass filter employed. For very low plaintext 
frequencies the noise created by the chaotic oscillators effectively masks the 
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plaintext, preventing its retrieval by direct high-pass filtering. But plaintext 
signals of very low frequency may be still retrieved if we know what kind 
of non-linear time-varying system was used for encryption, but without the 
knowledge of its parameter and initial condition values. To show such a possi- 
bility we have implemented two cryptanalysis procedures based on generalized 
synchronization [24,25,26,27]. 

4.1 Breaking the Lorenz system 

To break the PS-based chaotic masking scheme under study, using the Lorenz 
system, we use the following intruder receiver: 

X2 = (r*{y2- X2) + pe, (8) 
y2 = (/i* - z)x2 -y2 + qe. (9) 

where {a*, fi*} are the intruder receiver's Lorenz system parameters and e is 
the instantaneous value of the recovery error e = U{t) — {x2 + ^2) = rn{t) + 
xi + yi — X2 — y2- The terms pe and q e work as feedback of the recovery error, 
in order to achieve generalized synchronization between sender and receiver; 
p and q are two scalars that may accept a wide range of values, from 1 to 
more than 400, and even one of them alone may not exist. The synchronism 
is achieved for any combination of p and q values, but the amplitudes of X2 
and y2 do not match with those of xi and yi while a* ^ a or fi* ^ fi. 

By making p = a* Eq. (8) is simplified, becoming independent of y2, hence not 
depending upon the adjustment of //*. In this way Xi = X2 whenever a* = a, 
regardless of the value of fi*. Also we have found experimentally that the 
best results for fast convergence of the synchronism and minimum recovery 
error are obtained when q = a/o*. With those settings our intruder receiver is 
redefined as: 

X2 = -2a*X2 + a*U{t) (10) 
y^ = {^*-^/^- z)x2 - (1 + y/^)y2 + <y*U{t). (11) 

Figure 3 illustrates the synchronization mechanism between sender and in- 
truder receiver. The values of the the sender parameters are {a, ix] = 
{10,60} and the initial conditions of the sender and receiver are: 
{xi(0), 1/1(0), Zi{0),X2{t),y2{t)} = {0, 0.2, 30, 20, 1}. Figure 3(a) shows the first 
8 seconds of the plot of the sender variables Zi vs. Xi. Figure 3(b) shows 
the plot of the sender variable zi vs. the intruder receiver variable X2 when 
{cr*,/i*} = {10,80}; comparing (a) and (b) it can be seen that both phase 
portraits are identical, after the short initial transient originated by the dif- 
ferent initial conditions. Figure 3(c) shows the plot of the sender variable Xi 



6 



(a) Sender; a= 10, n = 60 



(b) a* = 10, n* = 80 




(d) o* = 10, ^* = 80 





Fig. 3. Generalized synchronization of the Lorenz attractor: (a) plot of the sender 
variables zi vs. xi, for {a, /.t} = {10,60}; (b) plot of the sender variable zi vs. the 
intruder receiver variable X2, for {a*,fj,*} = {10,80}; (c) plot of the sender variable 
xi vs. the intruder receiver variable X2, for {a* , fj,*} = {10, 80}; (d) plot of the sender 
variable xi vs. the intruder receiver variable X2, when {a* , fx*} = {40,80}. The ini- 
tial conditions in all cases were: {2:1(0), yi(0), 2^1 (0), X2(0), 2/2(0)} = {0, 0.2, 30, 20, 1}. 



vs. the intruder receiver variable X2, when {o"*,/^*} = {10,80}; it can be seen 
that the phase and amplitude of X2 match exactly those of xi, after the initial 
transient, although /i* 7^ fi. Finally, Fig. 3(d) shows the plot of the sender 
variable Xi vs. the intruder receiver variable X2, when a* and /i* completely 
differ from a and /i, revealing that both systems are synchronized, although 
their amplitudes and phases do not match exactly. 

We have estimated and recorded the logarithm of the mean value of the 
squared error e^, i.e. the error power, for the range of the intruder receiver 
system parameter values a* and r* that give raise to the chaotic behavior of 
the Lorenz attractor, with the same transmitter system parameters of the nu- 
merical example presented in [19, Fig. 2] and the intruder receiver described 
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Fig. 4. Relative logarithmic representation of the mean of the error power e^, for 
a* = {5, 7.5, 10, 20, 30, 40} as a function of fi*. 

by Eqs. (10) and (11). The results are presented in Fig. 4. The mean of e"^ 
is computed along the first 1.5 seconds, after a delay of 0.5 seconds to let 
the initial transient finish. It is clearly seen that the error grows monoton- 
ically with the mismatch between the transmitter and receiver parameters 
{\a* — a\, \fi* — and that the minimum error corresponds to the receiver 
system parameters values {a*, fi*} exactly matching the transmitter system 
parameters values {a, /i}. 

The parameters value recovery procedure consists of the straightforward search 
for the minimum recovery error e. Once the correct values {a*, fi*} = {a, fi} 
are found, the term Xi + yi — X2 — y2 vanishes and the recovery error is just 
equal to the plaintext signal m(t). 

The search of the correct parameter values {a*, fi*} can be done in the fol- 
lowing way: first, select an initial value for a* centered in its usable range; 
second, vary the value of /i* until a minimum error is reached; third, keep this 
value and vary the value of a* until a new minimum error is reached; four, 
check if the remaining error e is a clean recognizable plaintext, if not repeat 
the second and third steps. Note that this method retrieves all at once the 
correct values of a*, fi*, and the plaintext. 

The procedure is illustrated in Fig. 5, for a plaintext m(t) = cos(27r4i(:), whose 
frequency is so low that it cannot be retrieved by the previously described 
direct high-pass filtering method. When the initial parameter values are chosen 
at random as {a*, fi*} = {16, 70}, the corresponding error reaches a peak value 
near 70. Then the /i* value is varied until a minimum of the error is found for 
/i* = 60, it can be seen that now the peak error value after the initial transient 
is reduced to about 15. Next, the a* value is varied until a new error minimum 
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Fig. 5. Plaintext and parameter recovery of the Lorenz system by generalized syn- 
chronization analysis; the transmitter parameters are {cr, /i, p} = {10,60,8/3}: (a) 
plaintext m{t) = cos(27r4t); (b) receiver error for unadjusted intruder receiver pa- 
rameters {cr*, = {16,70}; (c) receiver error for partially adjusted intruder re- 
ceiver parameters {cr*, /x*} = {16, 60}; (d) receiver error for correct intruder receiver 
parameters {cr*, /i*} = {10,60}; (e) receiver error for correct intruder receiver pa- 
rameters {cr*, yU*} = {10, 60}, and unadjusted function F = — 0.7xi +0.3, yi +m{t). 



is reached for a* = 10, now the error is reduced to the plaintext itself, plus 
some noise of reduced amplitude that may be easily removed by a high-pass 
filter, if necessary. 

We have found that our method woks as well for the whole family of func- 
tions of the form F = {h — 1) Xi + ht/i + m{t), were /i is a scalar of any 
value. The plaintext m(t) is correctly recovered for any ciphertext of the form 
U{t) = xi + -F[xi, 1/1, m(t)]. This fact demonstrates that a great care must be 
exercised when selecting the function F, because some changes in its factors 
and constants values may be useless to enlarge the key space, hence not im- 
proving the system security at all. In Fig. 5(e) a time story of the retrieved 
message for a function of the form F = —0.7xi + 0.3, yi + m{t) is presented, 
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when decoded by an intruder receiver adjusted to recover a function of the 
type F = yi + m(t). It can be observed that the only difference with Fig. 5(d) 
is the magnitude and duration of the initial transient. 

4-. 2 Breaking the hyperchaotic Rdssler system 

To break the PS-based chaotic masking scheme under study, when the hy- 
perchaotic Rossler system is used to generate the masking signal, we follow a 
similar procedure to the one used in the preceding section. Now the intruder 
receiver is: 



were p is a scalar. We have found the best results with p = 10. 

Here the instantaneous value of the recovery error is defined a.s e = U{t) — 
(x2 -|- 1/2) = m(t) + Xi + Hi — X2 — y2- When the synchronism is reached it 
happens that Xi+yi = X2 + y2, hence the error is £ = m{t), thus allowing the 
exact recovery of the plaintext. 

Figure 6 illustrates the plaintext recovered for various intruder receiver pa- 
rameter values sets, being the plaintext m(t) = cos(27r2.5t), whose frequency 
is so low that it cannot be retrieved by the previously described direct high- 
pass filtering method. It can be observed that the intruder receiver is quite 
insensitive to the values of the parameters {a*,b*} and the structure of the 
function F. In Fig. 6(b) it is shown that when the parameter values of sender 
and intruder receiver do not match at all, the plaintext is still visible, although 
a residual interference is present, but its intensity is not big enough to preserve 
the confidentiality of the communications. This interference can be easily re- 
moved, if desired, by trial and error in few steps. The first parameter to be 
adjusted is a*, because it is the most influent on the shape of the retrieved 
waveform. In Fig. 6(c) it is shown the waveform for a* correctly adjusted while 
b* is kept unadjusted. Then the parameter b* must be adjusted until a clean 
recovered plaintext waveform is reached, as illustrated in Fig. 6(d). 

We have tested several different invertible functions F as building blocks of the 
sender ciphertext, and it has been observed that quite different functions allow 
for the almost correct retrieving of the plaintext. Figure 6(e) dramatically 
illustrates this fact: when a function as complicated as F = 26 + 0.5y^-fm(t) 
is used for transmission, while maintaining an intruder receiver designed for 
decoding a function of the type F = yi + m{t), together with a total parameter 
mismatch between sender and receiver as {a,b,a*,b*} = {0.25,3,0.4,20}, we 



X2 = -y2- Z2+P €, 

y2 = X2 + ay2 + Wi, 

Z2 = b + X2Z2. 



(12) 
(13) 
(14) 



10 



0.5 



ffl 

Q. 



-0.5 



-0.5 
3 

I 2 

LU 

S 1 









4 5 
Time (sec) 



a = 0.25 

6 = 3 



10 






F = 2 


6 + 0.5^ + 


m{t) 




1 \ 






































\\ 









: 




: 0.25 




: 0.25 

3 



0.4 
20 



10 



Fig. 6. Plaintext and parameter recovery by generalized synchronization anal- 
ysis; the sender parameters are {a,b,c,d} = {0.25,3,-0.5,0.05}: (a) plaintext 
m{t) = cos(27r2.5t); (b) receiver error for unadjusted intruder receiver parameters 
{a*, b*} = {0,0}; (c) receiver error for partially adjusted intruder receiver parame- 
ters {a*, b*} = {0.25,0}; (d) receiver error for the correct intruder parameter values 
{a*, b*} = {0.25,3}. (e) receiver error for wrong intruder receiver parameter values 
{a*, b*} = {0.25, 3}, and unadjusted function F = 26 + + cos(27r2.5t). 

can see that the retrieved waveform still retain enough plaintext information 
to completely compromise the security of the communication. 



5 Other weaknesses of the proposed system 



The knowledge of the scaling factor a is not required to retrieve the plaintext, if 
a high-pass filter attack or a generalized synchronization recovering procedure 
are implemented, as we did. Hence the scaling factor does not add any strength 
to the system security, as opposed to the claims by the authors of [19]. 
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Thanks to the plain transmission of the shared scalar variables zi, or wi, 
inherent to the PS scheme, the third Lorenz system parameter p and the 
hyperchaotic Rossler parameters c and d need not be determined to recover 
the plaintext when using a generalized synchronization receiver, in opposition 
to other cryptosystems that make use the Lorenz or hyperchaotic Rossler 
systems as a masking signal. Therefore an additional advantage is offered by 
the authors of [19] to the opponent eavesdropper. 



6 Conclusion 

In summary, the proposed PS-based chaotic masking cryptosystem is rather 
weak, since it can be broken in two easy ways, the first one being ignorant of 
the transmitter precise structure and the second one knowing the transmitter 
structure but ignoring its parameter values. The alleged security advantage 
of the cryptosystem based on the eavesdropper lack of knowledge of the scal- 
ing factor a is incorrect, its knowledge is completely irrelevant to retrieve 
the plaintext. The function F does not clearly enhance the security, owing to 
the fact that a wide range of different functions generate ciphertexts equally 
breakable with the same intruder receiver with a unique parameter adjust- 
ment. There is no mention about what the key is, nor which is the key space, 
a fundamental aspect in every secure communication system. The total lack of 
security discourages the use of this communication scheme for secure applica- 
tions, unless some modifications are made to essentially enhance its security. 
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